Hello to everyone, thank you Rank and thank you Robert for your answers. I tried to find out more. Beeing root on a NFS4 client I ran the following commands with different results. Before I tried this I commented out my auth_to_local rules from /etc/krb5.conf:
# su username -c "/usr/bin/kinit username/cron@MYREALM; touch /home/username/xx" Password for username/cron@MYREALM: ****** touch: cannot touch `/home/username/xx': Permission denied and after a reboot of the NFS client and after kdestroying all the /tmp/krb5_* caches I ran this: # su username -c "/usr/bin/kinit username@MYREALM; touch /home/username/xx" Password for username@MYREALM: ****** # <success: no error message> So using principal username/cron@MYREALM does not permit the unix user username to write to NFS while principal username@MYREALM does. Behind the scene there is an ldap server that NFS client and server are configured to use in order to find out eg the uid of user "username" for id mapping. Running a getent passwd username returns on both sides the same entry with the same unix uid and gid. So the question for me is, should a principal "username/cron" be automaticall be mapped to a local unix user "username" so that "username" is then allowd to access a NFS4 mounted directory that belongs to "username". This is what does not work for me at the moment. Does anyone have such a setup thats working? Is perhaps some kind of flag needed for the kerberos cron-principal to make it work? If I try to play around with auth_to_local rules, that to my understading are thought for this purpose, where do I have to defined them? On the NFS client, the NFS Server or the Kerberos Server or on all of them? Thanks a lot Rainer Am 05.05.2015 um 16:43 schrieb Frank Cusack: > I'm surprised you need a mapping at all. The default mapping should > simply strip any instance component. What happens if you kinit > "manually" with username/cron using a password? > > On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krie...@uni-koblenz.de > <mailto:krie...@uni-koblenz.de>> wrote: > > Hello, > > I am setting up a kerberos/NFS4 environment. Basically everything seems > to work. Every user has of course a princiapl username@MYREALM, where > username is the unix user name. The users homes are on a kerberos/NFS4 > mounted directory. > -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
